redline | d213d41eec83394b49776b106eed246b7f7b8a460e195355122c2ed15df4de42

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f0e069ed91dc3fb0ae9346321c4339.exe
Size

376KB
MD5

14f0e069ed91dc3fb0ae9346321c4339
SHA1

371e99aae41a83b844601f3d6b1c9d0fef81096a
SHA256

d213d41eec83394b49776b106eed246b7f7b8a460e195355122c2ed15df4de42
SHA512

938d261e3f368888ad85c339981e564de83aa138210a622db052e3f569d7fa3c4d2e8382796b63a1fa36e0b61054c91ed8294c14ed20259eadc0cd2c4401e3be
SSDEEP

6144:KCy+bnr+Vp0yN90QEsV3PthxfuUJNMk/+leNXZmO8HJshOsY59ks:OMr1y90+tvxpy0+lUXaDsYvks

Score

10^/10

redline infostealer persistence stealer

Malware Config

Signatures

Detects Redline Stealer samples 1 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

resource	yara_rule
behavioral2/memory/928-148-0x00000000074A0000-0x0000000007AB8000-memory.dmp	redline_stealer

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1444	x7909358.exe
928	g5876315.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	14f0e069ed91dc3fb0ae9346321c4339.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	14f0e069ed91dc3fb0ae9346321c4339.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x7909358.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7909358.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 1444	4848	14f0e069ed91dc3fb0ae9346321c4339.exe	89
PID 4848 wrote to memory of 1444	4848	14f0e069ed91dc3fb0ae9346321c4339.exe	89
PID 4848 wrote to memory of 1444	4848	14f0e069ed91dc3fb0ae9346321c4339.exe	89
PID 1444 wrote to memory of 928	1444	x7909358.exe	90
PID 1444 wrote to memory of 928	1444	x7909358.exe	90
PID 1444 wrote to memory of 928	1444	x7909358.exe	90

C:\Users\Admin\AppData\Local\Temp\14f0e069ed91dc3fb0ae9346321c4339.exe
"C:\Users\Admin\AppData\Local\Temp\14f0e069ed91dc3fb0ae9346321c4339.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe
    3⤵
    - Executes dropped EXE
    PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe

Filesize
204KB

MD5
a9076dc57ed643e3f38f415ae2604930

SHA1
b869a90abf162977ae3c2a0d4f5a4ad702a68579

SHA256
e67435424bf6d4efe2ea3915f7aef50ee65b7210b64777a92d3e22e21d8bca45

SHA512
0c3c3d5367475ebb52d4499ef6cc40b88d27c1726e96408d1b96d1da9b565b5d1ff1004b22a33a022f9c7b848aa3c773be28e120ee4edbba52b1424ce304f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7909358.exe

Filesize
204KB

MD5
a9076dc57ed643e3f38f415ae2604930

SHA1
b869a90abf162977ae3c2a0d4f5a4ad702a68579

SHA256
e67435424bf6d4efe2ea3915f7aef50ee65b7210b64777a92d3e22e21d8bca45

SHA512
0c3c3d5367475ebb52d4499ef6cc40b88d27c1726e96408d1b96d1da9b565b5d1ff1004b22a33a022f9c7b848aa3c773be28e120ee4edbba52b1424ce304f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5876315.exe

Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
memory/928-147-0x0000000000210000-0x0000000000238000-memory.dmp

Filesize
160KB

Download
memory/928-148-0x00000000074A0000-0x0000000007AB8000-memory.dmp

Filesize
6.1MB

Download
memory/928-149-0x0000000006F40000-0x0000000006F52000-memory.dmp

Filesize
72KB

Download
memory/928-150-0x0000000007070000-0x000000000717A000-memory.dmp

Filesize
1.0MB

Download
memory/928-151-0x0000000006FE0000-0x000000000701C000-memory.dmp

Filesize
240KB

Download
memory/928-152-0x0000000006FD0000-0x0000000006FE0000-memory.dmp

Filesize
64KB

Download
memory/928-153-0x0000000006FD0000-0x0000000006FE0000-memory.dmp

Filesize
64KB

Download